Biz & IT —

FBI accused of planting backdoor in OpenBSD IPSEC stack

A former OpenBSD contributor claims that the FBI paid open source developers …

In an e-mail sent to BSD project leader Theo de Raadt, former NETSEC CTO Gregory Perry has claimed that NETSEC developers helped the FBI plant "a number of backdoors" in the OpenBSD cryptographic framework approximately a decade ago.

Perry says that his nondisclosure agreement with the FBI has expired, allowing him to finally bring the issue to the attention of OpenBSD developers. Perry also suggests that knowledge of the FBI's backdoors played a role in DARPA's decision to withdraw millions of dollars of grant funding from OpenBSD in 2003.

"I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI," wrote Perry. "This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn't want to create any derivative products based upon the same."

The e-mail became public when de Raadt forwarded it to the OpenBSD mailing list on Tuesday, with the intention of encouraging concerned parties to conduct code audits. To avoid entanglement in the alleged conspiracy, de Raadt says that he won't be pursuing the matter himself. Several developers have begun the process of auditing the OpenBSD IPSEC stack in order to determine if Perry's claims are true.

"It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack," de Raadt wrote. "Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are."

OpenBSD developers often characterize security as one of the project's highest priorities, citing their thorough code review practices and proactive auditing process as key factors that contribute to the platform's reputedly superior security. If Perry's allegations prove true, the presence of FBI backdoors that have gone undetected for a decade would be a major embarrassment for OpenBSD.

The prospect of a federal government agency paying open source developers to inject surveillance-friendly holes in operating systems is also deeply troubling. It's possible that similar backdoors could potentially exist on other software platforms. It's still too early to know if the claims are true, but the OpenBSD community is determined to find out if they are.

"If Perry's allegations prove true, the presence of FBI backdoors that have gone undetected for a decade would be a major embarrassment for OpenBSD."

I see this as a broader issue (and not even getting into the politics and motivation behind it): One of the basic tenets of open source software is that it is inherently safer than proprietary software because of the transparency and so many people looking at it. If the claims turn out to be true it brings into question that assumption. It may be that everyone assumed because anyone could audit it, someone else already had.

It will definitely be interesting to see what people have to say about it, whether the backdoors are really there, and at what point they might have been disabled or removed by code changes. If they didn't last long, that would strengthen the open source claims (i.e. subsequent developers saw code that didn't seem tight enough, or focused enough, or secure enough, and changed it, even if they didn't realize that the weakness was intentional).

Or maybe this guy is still in the employ of the FBI, and the FBI doesn't like OpenBSD because they can't crack its encryption, and they are finding more and more of their targets using OpenBSD. So why not plant a little FUD and send people scurrying away from the platform?

If this turns out to be accurate, I think the only conclusion that can be drawn is that the OpenBSD project leaders at the time (Theo?) were in on it from the beginning. ... or they are guilty of profound dereliction of duty. Take your pick.

I find it ironic that this occurred in open source software, where such shenanigans are supposed to be impossible. Eyes wide shut apparently...

Or maybe this guy is still in the employ of the FBI, and the FBI doesn't like OpenBSD because they can't crack its encryption, and they are finding more and more of their targets using OpenBSD. So why not plant a little FUD and send people scurrying away from the platform?

"If Perry's allegations prove true, the presence of FBI backdoors that have gone undetected for a decade would be a major embarrassment for OpenBSD."

I see this as a broader issue (and not even getting into the politics and motivation behind it): One of the basic tenets of open source software is that it is inherently safer than proprietary software because of the transparency and so many people looking at it. If the claims turn out to be true it brings into question that assumption. It may be that everyone assumed because anyone could audit it, someone else already had.

That may be true to some degree, however, I would argue that it is safer to have the ability to audit the code. I'm not certain that it's even been assumed to be inherently safer. If this were true, I imagine OSS would be inherently bug-free, too. In the end, it's humans writing the code and humans auditing the code (for the most part) and humans managing the workflow process for the code to move into the distribution. All of these are weak links.

Whereas the question by thiago_pc's isn't necessarily, or at the time of its allegation, couldn't necessarily be validated, here the code can be analysed and resolved within a reasonable time frame. Simply because workflow is such that things like this get missed doesn't truly mean that it makes the practice of open source vs proprietary development any less secure. If anything, it talks to how the the maintenance the IPSEC stack has been managed.

To put it another way, I'm going to use the axiom, "shit happens." Given that, I'd prefer to be able to determine where/how that shit happens vs. relying on someone else to do so. To me, this ability makes it more secure.

One of the basic tenets of open source software is that it is inherently safer than proprietary software because of the transparency and so many people looking at it. If the claims turn out to be true it brings into question that assumption.

Actually, I think it brings into question: What other projects has this been done to where we can't examine the source to verify the claims?

At least with OpenBSD, it can be done. For closed source software, this isn't possible.

Or maybe this guy is still in the employ of the FBI, and the FBI doesn't like OpenBSD because they can't crack its encryption, and they are finding more and more of their targets using OpenBSD. So why not plant a little FUD and send people scurrying away from the platform?

Or maybe *you* are in the employ of a group of open source zealots that are trying to put forth an "FBI hates BSD" conspiracy theory in order to plant a little FUD and send people scurrying to OpenBSD to defend its honor?

OpenBSD developers often characterize security as one of the project's highest priorities, citing their thorough code review practices and proactive auditing process as key factors that contribute to the platform's reputedly superior security. If Perry's allegations prove true, the presence of FBI backdoors that have gone undetected for a decade would be a major embarrassment for OpenBSD.

Of course, if they discover, during the audits, that 99% of these backdoors were caught and fixed due to these code audits, it could be a boon for their reputation. I would imagine that this is going to be a useful case study.

Article wrote:

The prospect of a federal government agency paying open source developers to inject surveillance-friendly holes in operating systems is also deeply troubling. It's possible that similar backdoors could potentially exist on other software platforms. It's still too early to know if the claims are true, but the OpenBSD community is determined to find out if they are.

I don't know about 'deeply troubling'. I'd call it 'fully expected'. In contract work for a government agency, we have a lot of trouble using even simple open source software, as there is no guarantee that a foreign national contributing to the project hasn't done the same or worse for their government, and the systems we work on handle sensitive information, so security is serious business, so to speak.

One of the basic tenets of open source software is that it is inherently safer than proprietary software because of the transparency and so many people looking at it. If the claims turn out to be true it brings into question that assumption.

Actually, I think it brings into question: What other projects has this been done to where we can't examine the source to verify the claims?

At least with OpenBSD, it can be done. For closed source software, this isn't possible.

If it's closed-source then the backdoor would have been done intentionally by the creator of the software.

If it's open source, then anyone could potentially slip in a backdoor. Sure you can audit the code, but how often is that done? And if you don't know what you're looking for, it can be hard to find.

Take the Debian bug which made SSH keys guessable, that wasn't malicious, but still was released unnoticed by the developers (and was kinda egregious). If the devs of OpenSWAN decided to sneak-in a backdoor, how many people would necessarily notice (especially if the devs were particularly crafty)?

Which is just to say that being open-source doesn't necessarily provide an advantage in this case, unless there are regular and thorough audits (if the whistle-blower is correct then OpenBSD might have been compromised for years).

Which is just to say that being open-source doesn't necessarily provide an advantage in this case, unless there are regular and thorough audits (if the whistle-blower is correct then OpenBSD might have been compromised for years).

That's really why I want to see where this goes. OpenBSD makes a point of their thorough and regular code audits. If they caught these 'bugs' early and often, this is a wonderful story and a victory for properly-managed Open-source security software.

If these bugs all (or mostly) slipped through the radar, it's probably evidence of just how complex cryptography really is... but it'll be a reinforcement of many peoples' world-views.

If NONE of these bugs have been fixed prior to this disclosure, it'll be really bad news, and hurt the reputation of most security software. (Intelligent people will realize that Microsoft is no more immune to employees taking FBI bribes than open-source developers, and given the deployed base, the Microsoft bribes might be larger. And if the FBI is particularly smart about it, they don't leave it up to the employee/contractor to construct the backdoor, but get code samples and work it with a team to develop subtle breakages and information leaks (as someone above noted the OpenBSD backdoor is suspected to be)).

One of the basic tenets of open source software is that it is inherently safer than proprietary software because of the transparency and so many people looking at it. If the claims turn out to be true it brings into question that assumption. It may be that everyone assumed because anyone could audit it, someone else already had.

It will definitely be interesting to see what people have to say about it, whether the backdoors are really there, and at what point they might have been disabled or removed by code changes. If they didn't last long, that would strengthen the open source claims (i.e. subsequent developers saw code that didn't seem tight enough, or focused enough, or secure enough, and changed it, even if they didn't realize that the weakness was intentional).

+++

If the claims are true and if the backdoors are still present then this would be a major blow to the integrity of open-source projects in general, and the impact would extend well beyond OpenBSD. Obviously we need to await the result of a thorough audit, though. This story will have legs.

@Putrid Polecat: Yes... Well, you're among a vanishingly small minority. Especially when you consider that this is not about Americans whatsoever. The FBI has no right to do surveillance on (for example) Canadians talking to Britons: these communications do not go through the US, and do not involve the US.

Anyhow, this is almost certainly all BS. As stated in the mail thread: OpenBSD doesn't accept crypto patches from Americans or anyone currently living in the US. They're too afraid of running afoul of us crypto export laws. So in effect, the FBI would have had to hire foreign nationals to insert these back doors, and then hoped and prayed they could figure out how to enforce NDAs.

Also, IIRC, classified information is not subject to the usual contractual NDAs. If the FBI did this, it would be classified/secret/top-secret, not merely NDA, and therefore he just committed treason, unless someone in the US government declassified this info (why would the *EVER* do that. They're not even declassifying the stuff published by wikileaks, and that's public knowledge. Double-think is real.)

@Putrid Polecat: Yes... Well, you're among a vanishingly small minority. Especially when you consider that this is not about Americans whatsoever. The FBI has no right to do surveillance on (for example) Canadians talking to Britons: these communications do not go through the US, and do not involve the US.

...

But it is. Berkeley Standard Distribution. Berkeley, California. Made in the USA. There were encryption export regulations for years and these backdoors were not inconsistent with that export philosophy. Other countries are free to develop their own IPSEC implementations. Just sayin'.

So am I the only one here who believes that the FBI should be able to conduct surveillance?

So the FBI should be able to conduct surveillance on any computer running OpenBSD or using the OpenBSD IPSEC stack? Even if that computer is running in another country? In America even the FBI should require a warrant to conduct surveillance, and they have no jurisdiction over people in other countries.

If it's closed-source then the backdoor would have been done intentionally by the creator of the software.

True. The point is that there's no way for anyone to find out, short of black box testing. Even then, the creators can claim it to be a bug rather than a feature.

Quote:

If it's open source, then anyone could potentially slip in a backdoor.

While most open source projects welcome contributions from anyone, most also only let certain individuals have access to actually committing code changes into the official source code.

That said, a long con could allow an attacker get that kind of access and then subtly put vulnerabilities into the software that take a long time to get detected.

Quote:

Sure you can audit the code, but how often is that done? And if you don't know what you're looking for, it can be hard to find.

Even if you do know what you're looking for, it can be hard to find. You have a point though -- without regular code audits there's no way to catch this kind of stuff. Collusion can even overcome those for a while.